Bypassing Exec Sandbox Restrictions in OpenClaw
Bypassing Exec Sandbox Restrictions in OpenClaw
If you've spent any amount of time building agents in OpenClaw, you've hit the wall. You know exactly which wall I'm talking about: you write a perfectly reasonable tool call — maybe it fetches data from an API, maybe it installs a package your agent needs for analysis, maybe it just tries to write a damn CSV to disk — and the sandbox slaps you with some cryptic Operation not permitted error that tells you absolutely nothing about what went wrong or how to fix it.
You stare at the logs. You Google the error. You find nothing useful. You wonder if you should just rip out the sandbox entirely and run everything on bare metal like a maniac.
Don't do that.
The exec sandbox exists for very good reasons, and once you understand how it restricts execution and where the knobs are, you can get 95% of the functionality you actually need without compromising security. This post is the guide I wish I'd had when I first started banging my head against OpenClaw's sandbox policies. We're going to cover what's actually happening under the hood, the most common restrictions that trip people up, and — most importantly — how to bypass them properly using OpenClaw's own configuration primitives.
No hacks. No security holes. Just the right way to tell the sandbox "yes, I actually need this, and here's exactly how much access I'm granting."
Why the Sandbox Exists (60 Seconds of Context)
Let's get this out of the way fast so we can move to the useful stuff.
When your OpenClaw agent runs code — whether through a PythonREPL tool, a shell command, or any custom executor — that code is running in a sandboxed environment. The sandbox uses a combination of namespace isolation, syscall filtering (think seccomp), and network policy enforcement to prevent arbitrary code from doing things like:
- Reading or modifying files outside the workspace
- Making unrestricted network requests to any endpoint on the internet
- Installing arbitrary system packages or binaries
- Spawning uncontrolled subprocesses
- Accessing hardware devices or host system information
This matters because agents generate code dynamically. An LLM might hallucinate a subprocess.call(['rm', '-rf', '/']) or try to curl something malicious. The sandbox catches that. Good.
The problem is that the default sandbox policy is conservative. Extremely conservative. It's designed for the "I have no idea what this agent will do" case, which means it blocks a ton of operations that are perfectly safe and necessary for real work.
Your job is to tell OpenClaw what your agent actually needs.
The Five Restrictions That Break Everything
In my experience — and echoed by basically everyone in the OpenClaw community — these are the five sandbox restrictions that cause 90% of the pain:
1. Network Access Denied
What happens: Your agent tries to call an API, scrape a webpage, or download a dataset, and gets a connection error or timeout.
Why: The default network policy is deny-all or severely restricted. The sandbox doesn't know which endpoints are safe.
The fix: OpenClaw lets you define explicit network allowlists in your execution policy. Here's what that looks like:
# openclaw.exec.yaml
execution:
sandbox:
network:
policy: restricted
allowlist:
- domain: "api.openai.com"
ports: [443]
- domain: "httpbin.org"
ports: [80, 443]
- domain: "*.amazonaws.com"
ports: [443]
- cidr: "10.0.0.0/8"
ports: [5432, 6379]
The restricted policy with an explicit allowlist is the sweet spot for most agents. You're saying "network access is fine, but only to these specific places." Wildcard subdomains work. CIDR ranges work for internal services.
If your agent legitimately needs broad internet access (e.g., a web research agent), you can set policy: permissive, but pair it with egress logging so you can audit what it's actually hitting:
execution:
sandbox:
network:
policy: permissive
logging:
egress: true
log_bodies: false
2. Package Installation Blocked
What happens: Your agent tries to pip install pandas or pip install some-niche-library and gets a permission error or the command hangs.
Why: The sandbox restricts subprocess execution and write access to system directories. pip install needs both.
The fix: OpenClaw supports pre-approved package lists and a managed install mechanism that doesn't require full system access:
execution:
sandbox:
packages:
python:
preinstalled:
- pandas
- numpy
- requests
- beautifulsoup4
- matplotlib
- scikit-learn
allow_install: true
approved_packages:
- plotly
- seaborn
- yfinance
- openpyxl
index_url: "https://pypi.org/simple/"
The preinstalled list tells OpenClaw to bake these into the sandbox environment from the start — no install step needed, zero latency. The approved_packages list lets the agent install additional packages on-demand, but only from this list and only from the specified index.
This is the right answer to the "my agent needs to install stuff" problem. You're not giving it pip install anything-it-wants. You're giving it a curated set of packages that you've vetted.
Pro tip: If you find yourself constantly adding packages to the approved list, just move them to preinstalled. The install step inside a sandbox adds 2-10 seconds per package, which compounds badly when your agent is doing multi-step reasoning.
3. File System Access Denied
What happens: Your agent tries to write analysis results to a file, read an uploaded document, or create temporary files, and gets a permission error.
Why: The sandbox restricts filesystem access to a narrow workspace directory. Anything outside that path is off-limits.
The fix: Understand the workspace model and use it properly:
execution:
sandbox:
filesystem:
workspace_dir: "/workspace"
writable: true
max_size_mb: 512
persist_across_calls: true
upload_dir: "/workspace/uploads"
output_dir: "/workspace/outputs"
The critical setting here is persist_across_calls: true. Without this, every tool call gets a fresh filesystem, which means your agent can't build on previous work. With it enabled, the workspace survives across multiple calls within the same session.
In your agent's system prompt or tool descriptions, make sure you reference these paths explicitly:
# In your OpenClaw tool definition
tool_description = """
Execute Python code for data analysis.
Files uploaded by the user are available at /workspace/uploads/
Save any output files to /workspace/outputs/
All file operations must use paths under /workspace/
"""
This seems obvious, but I've seen agents waste 5+ reasoning steps trying to write to /tmp or /home/user or other paths that the sandbox blocks. Tell the agent where it can write. It'll listen.
4. Subprocess Execution Blocked
What happens: Your agent tries to run a shell command via subprocess, os.system, or similar, and gets blocked.
Why: Subprocess spawning is one of the most dangerous capabilities. The sandbox locks it down hard by default.
The fix: OpenClaw offers granular subprocess policies:
execution:
sandbox:
subprocess:
allow: true
allowed_commands:
- "python"
- "pip"
- "cat"
- "head"
- "tail"
- "wc"
- "grep"
- "sort"
blocked_commands:
- "rm"
- "curl"
- "wget"
- "chmod"
- "chown"
- "sudo"
max_runtime_seconds: 30
The allowed_commands whitelist is your friend. Most data analysis agents only need a handful of shell commands. List them explicitly. Everything else stays blocked.
The max_runtime_seconds setting is crucial too. Without it, a runaway subprocess (infinite loop, hung download) will eat your sandbox's resources until the session times out. Thirty seconds is generous for most operations.
5. Resource Limits Too Tight
What happens: Your agent's code runs but gets killed partway through — OOM errors, CPU time exceeded, or mysterious crashes.
Why: The sandbox enforces resource limits (memory, CPU time, output size) that may be too low for your workload.
The fix:
execution:
sandbox:
resources:
max_memory_mb: 1024
max_cpu_seconds: 60
max_output_size_mb: 10
max_processes: 4
Bump these according to your actual needs. If your agent is doing pandas operations on datasets with 100k+ rows, 256MB of RAM isn't going to cut it. If it's generating plots, the output size limit needs room for image data.
Don't set these to unlimited. Set them to "enough for the biggest thing my agent should reasonably be doing, plus a 50% buffer."
Putting It All Together: A Real Configuration
Here's a complete openclaw.exec.yaml that I'd use for a data analysis agent — the kind of agent that needs to read uploaded CSVs, do pandas/matplotlib work, call a couple APIs, and return results:
# openclaw.exec.yaml — Data Analysis Agent
execution:
sandbox:
network:
policy: restricted
allowlist:
- domain: "api.exchangerate-api.com"
ports: [443]
- domain: "*.githubusercontent.com"
ports: [443]
logging:
egress: true
packages:
python:
preinstalled:
- pandas
- numpy
- matplotlib
- seaborn
- openpyxl
- requests
allow_install: false
filesystem:
workspace_dir: "/workspace"
writable: true
max_size_mb: 512
persist_across_calls: true
upload_dir: "/workspace/uploads"
output_dir: "/workspace/outputs"
subprocess:
allow: true
allowed_commands:
- "python"
- "head"
- "wc"
max_runtime_seconds: 30
resources:
max_memory_mb: 1024
max_cpu_seconds: 120
max_output_size_mb: 20
max_processes: 2
logging:
level: "info"
log_blocked_operations: true
log_file: "/workspace/sandbox.log"
Notice allow_install: false. I'm not letting this agent install anything at runtime. Everything it needs is pre-installed. This shaves seconds off every tool call and eliminates an entire category of security risk.
Also notice log_blocked_operations: true. This is your debugging lifeline. When something gets blocked, you'll see exactly what operation was attempted and which policy blocked it. No more guessing.
Debugging Sandbox Violations
Even with a well-configured policy, you'll occasionally hit blocks you didn't expect. Here's the workflow:
Step 1: Check the sandbox log:
# Quick way to check from within an agent tool call
with open('/workspace/sandbox.log', 'r') as f:
recent = f.readlines()[-20:]
for line in recent:
print(line.strip())
Step 2: Look for the specific violation type. OpenClaw sandbox logs typically show entries like:
[BLOCKED] syscall=connect dest=93.184.216.34:80 policy=network.restricted
[BLOCKED] subprocess=wget policy=subprocess.allowed_commands
[BLOCKED] filesystem=write path=/etc/hosts policy=filesystem.workspace_only
Step 3: Decide if the blocked operation is legitimate. If yes, update your policy. If no, you just caught your agent doing something it shouldn't, which is the sandbox working as intended.
Step 4: If you need to test policy changes without redeploying, OpenClaw supports policy hot-reloading in development mode:
openclaw exec --dev --policy ./openclaw.exec.yaml --reload-on-change
This lets you edit the YAML and have it take effect on the next tool call without restarting the session.
The Shortcut: Felix's OpenClaw Starter Pack
If this configuration stuff feels overwhelming — or if you just want to skip the trial-and-error phase and start with sane defaults — I'd strongly recommend grabbing Felix's OpenClaw Starter Pack.
I'm recommending it because it solves the exact problem this post is about: the starter pack comes with pre-configured execution policies for the most common agent types (data analysis, web research, code generation, document processing). Instead of building your sandbox config from scratch and learning what each setting does the hard way, you get tested configurations that balance security with actual usability.
It also includes example agent setups that are already wired up with the right tool definitions, workspace paths, and system prompts that tell the agent how to work within the sandbox instead of fighting against it. That system prompt engineering piece is underrated — half the sandbox violations I see are because nobody told the agent where it can write files or which APIs it has access to.
If you're starting fresh with OpenClaw or you're migrating from a different execution environment and want to skip the "why is everything broken" phase, the starter pack is the fastest path to a working setup.
Common Mistakes to Avoid
Setting the sandbox to fully permissive because "it's just development." Bad idea. You'll build agent workflows that depend on unrestricted access, and then everything breaks when you tighten the policy for production. Develop against realistic restrictions from day one.
Not telling the agent about the sandbox constraints. Your agent is an LLM generating code. If you don't tell it that network access is restricted to specific domains, it'll keep trying to requests.get("https://some-random-site.com") and failing. Put the constraints in the system prompt or tool description.
Over-restricting and then wondering why the agent seems "dumb." If your agent fails to complete tasks it should be able to do, check the sandbox log before blaming the model. I've seen people fine-tune prompts for weeks trying to fix a "capability issue" that was actually a blocked syscall.
Ignoring resource limits. An agent running pandas on a 500MB CSV with 256MB of RAM will get OOM-killed, and the error message will look like a code bug, not a resource issue. Size your limits for your data.
Next Steps
Here's what I'd do right now:
-
Audit your current sandbox config. If you're using defaults, you're almost certainly over-restricted. Open your
openclaw.exec.yaml(or create one if you haven't) and explicitly configure network, filesystem, packages, and subprocess policies. -
Enable
log_blocked_operations. Run your agent through its standard workload and review what's getting blocked. Adjust your policy based on what you find. -
Add sandbox constraints to your agent's context. Whether it's a system prompt, tool description, or both — tell the agent exactly what it can and can't do, and where it should read/write files.
-
If you want a head start, grab Felix's OpenClaw Starter Pack and adapt its pre-built policies to your use case instead of starting from zero.
-
Test with adversarial inputs. Once your policy is set, try to break it. Give the agent prompts that would cause dangerous code execution. See if the sandbox catches them. This is where you build actual confidence in your setup.
The sandbox isn't your enemy. It's infrastructure. Like any infrastructure, it works well when you configure it intentionally and poorly when you ignore it. Spend an hour getting your execution policy right, and you'll save yourself weeks of debugging mysterious agent failures.
Now go build something that actually works.